Jemal Mohammed Tahir Testing Virtual Private Network (VPN) Interoperability Helsinki Metropolia University of Applied Sciences Bachelor of Engineering Information Technology Thesis 05 May 2015 Abstract Author(s) Jemal Mohammed Tahir Title Testing Virtual Private Network (VPN) Interoperability Number of Pages 58 pages + 3 appendices Date 05 May 2015 Degree Bachelor of Engineering Degree Programme Information Technology Specialisation option Computer Networks and Security Instructor(s) Erik Pätynen, Senior Lecturer While corporations are growing their businesses, they may demand additional remote branch offices in a disparate location. These remote offices need to have a connection to their central corporate network so as to get access to resources and services securely over the public network. To achieve this demand, deploying Virtual Private Networks (VPNs) is an alternate technology. The primary objective of this final year project was to test secure VPN interoperability be- tween two different vendors’ gateways that are connected using a site-to-site VPN network, so that the data can be transported back and forth securely over a non-secure network in- frastructure that is the Internet. Practically, this final year project was carried out in a laboratory environment deploying two different vendor gateway devices to simulate a company’s sites which are in different geo- locations. The network devices were configured to use an IPsec site-to-site VPN and the VPN tunnel formed was tested. Moreover, this project verified the interoperability between dissimilar vendors via a secure VPN which is an IPsec site-to-site VPN. It can be concluded that interoperability was achieved and the data transported through the public network was tested and it was con- firmed that the data was secure and encrypted. As a corporate branch office grows in size, VPN authentication using Preshared Key (PSK) is not scalable and therefore it is a good choice to consider having a central certificate au- thority (CA) to authenticate VPN peers. Keywords VPN, IPsec VPN, site-to-site VPN, IPsec interoperability Contents 1 Introduction 3 2 Computer Networking 4 2.1 Internetworking 4 2.2 Internetwork Addressing 15 2.3 Local Area Network (LAN) 17 2.4 Wide Area Network (WAN) 17 2.5 Firewalls 18 3 Virtual Private Networks (VPNs) 19 3.1 Overview of VPNs 19 3.2 VPN Devices and Technologies 20 3.3 Remote-access VPN 22 3.4 Site-to-site VPN 23 4 Benefits of VPN Security 24 4.1 Overview of Cryptography 24 4.2 Confidentiality 30 4.3 Data Integrity 31 4.4 Authentication 32 4.5 Anti-reply Protection 32 5 Internet Protocol Security (IPsec) 33 5.1 IP Security Overview 33 5.2 IPsec Framework 33 5.3 IPsec Protocol 34 5.4 Internet Key Exchange (IKE) Protocol 37 6 VPN Gateway Products 39 6.1 Cisco Adaptive Security Appliance (ASA) Firewall 39 6.2 Juniper SRX Firewall 41 7 Research Project and Project Implementation 42 7.1 Requirements 42 7.2 Network Topology Design and Implementation 43 7.3 IP Addressing Scheme 44 7.4 IPsec Site-to-site VPN Configurations 46 7.4.1 ASA 5505 IPsec VPN Configuration 46 7.4.2 SRX240 IPsec VPN 50 7.5 Analysis 54 8 Discussion and Conclusion 58 References 59 Appendices Appendix 1. ASA 5505 Firewall Configuration File Appendix 2. SRX 240 Firewall Configuration File Appendix 3. Testing Listing 1 Abbreviations 3DES Triple Digital Encryption Standard AES Advanced Encryption Standard API Application Programming Interface ARP Address Resolution Protocol ASICs Application Specific Integrated Circuits ATM Asynchronous Transfer Mode CAM Content Addressable Memory CPU Central Processing Unit DES Digital Encryption Standard DH Diffie-Hellman FDDI Fibre Distributed Data Interface FTP File Transfer Protocol GRE Generic Routing Encapsulation HMAC Hashed Message Authentication Code HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure IDEA International Data Encryption Algorithm IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IKE Internet Key Exchange IKEv1 Internet Key Exchange version 1 IKEv2 Internet Key Exchange version 2 IP Internet Protocol IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 ISO International Organization for Standardization ‘ ISP Internet service provider LAN Local Area Network LLC Logical Link Control MAC Media Access Control MD5 Message Digest 5 MPLS Multiprotocol Label Switching NAT Network Address Translation OSI Open Systems Interconnection 2 OTP One-time pad PAT Port Address Translation PDU Protocol Data Unit PVC Permanent Virtual Circuit QoS Quality of Service RC Rivest Cipher RFC Request for Comments RSA Rivest-Shamir-Adleman SHA-1 Secure Hash Algorithm 1 SHA-2 Secure Hash Algorithm 2 TCP Transmission Control Protocol Internet Protocol) TCP Transmission Control Protocol VLAN Virtual Local Area Network VoIP Voice over IP VPN Virtual Private Network WAN Wide Area Network 3 1 Introduction In the past, business corporations would implement leased or dedicated lines to connect to their branch office or telecommuters so as to ensure secure data transfer. However, for corporations using dedicated leased line is not practical in terms of cost, space cov- erage and time needed for installation. In recent years, with the rapid development of network technology, the direction of the technology has changed dramatically and the Internet has become abundant, almost everywhere. However, the Internet is exposed to attackers sniffing sensitive information. Virtual Private Networks (VPNs) have become an alternative solution to security breaches which result in the use of public networks, which is unsecure, for private communications. As security is the top priority, an established VPN allows packets to tunnel via the public network by providing a secure connection as if they were on private networks. A VPN tunnel implements cryptographic techniques to protect on intercepting VPN packet by attackers when it traverses through the public carrier network. The main VPN technolo- gies that provide secure communication are IPsec VPN and SSL VPN. IPsec is a protocol of suite that is geared around security of data communication. IPsec consists of pieces for authentication, data integrity, confidentiality, and anti-reply attack prevention. IPsec VPN secures the tunnel that is established over a non-secure network. The goal of this final year project is to test secure VPN interoperability between two dif- ferent vendors’ gateways, Cisco ASA 5505 and Juniper SRX240 that are connected us- ing an IPsec site-to-site VPN network, so that the data can be transported back and forth securely over a non-secure public network infrastructure that is the Internet. The project is directed for students who have a basic knowledge of networking. The structure of this thesis is divided into 8 chapters. Chapter 2 will discuss Internetworking, LAN, WAN and firewalls of a computer networking. Chapter 3 will explain the VPN devices, remote-ac- cess VPN, and site-to-site VPN. Chapter 4 will describe the benefits of VPN and chapter 5 the IPsec security protocol. Chapter 6 will explain VPN gateway products and chapter 7 the research and project implementation. Chapter 8 will include discussion and con- clusion of the project. 4 2 Computer Networking 2.1 Internetworking Recently the Internet has changed the world in the sector of communication channels, where intercommunication has become vital in our daily lives. The computer revolution is a key factor for the dramatic change in the information sector. The Internet encom- passes thousands of computer networks that interconnect a bulk of computing devices around the globe. [1] The demand of networks and networking shown an exponential increase in the past two decades. To point out some of the benefits for the telecommuters, headquarters, branch offices, or home offices are to offer connection whether they are located in the same place or a different geolocation and share different services and resources. For example they can share data, printers, video conferences and VoIP services. [5] An internetwork is a combination of multiple local area networks connected through gate- way devices that contribute and forward routing information of packets among the net- works. The gateways can be routers, firewall appliances, or layer 3 switches that have configured their interfaces using the IPv4 or IPv6 addressing scheme. Figure 1 below illustrates those different internetworking technologies that are interconnected via rout- ers, bridges and switches. The internetworking technology mentioned in figure 1 will be illustrated in section 2.3 and 2.4 in detail. For example LAN (Local Area Networks) and WAN (Wide Area Networks) and. FDDI and Token Ring are legacy technology which has been replaced with a new technology that are economical and scalable. [2] 5 Figure 1. An Internetwork Formed from Different Network Segments. Establishing a working and efficient internetworking is not an easy task. There are certain areas needed to be addressed to maintain smooth working conditions. Some of the in- ternetworking challenges are listed below: Connectivity issue: The issue when connecting different multiple networks is to get successful connectivity to the other end device. For example the end device is implementing a different networking technology and different kinds of media running at various bandwidth levels. [2] Reliability: Expecting network connectivity of the company to work and services are reachable all the time. [2] Centralized network management: Additionally, it is good to secure the network from inside and outside users. Most of the security attacks come from users in the internal network. Implementing network management that gives trouble- shooting and managing of security issues, configuration and performance in the network. [2] 6 Adaptation to change: Internetworks must be flexible to change to this dynamic world, since technology is changing all the time. [2] It is time now to introduce some of the commonly used internetworking devices and their functions in the communication system. Figure 2. Internetworking Devices Figure 2 illustrates some of the internetworking devices such as Router, Bridge, Switches and Hubs.